<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<title>XSS原理重现</title>
</head>
<body>
<form action="" method="get">
<input type="text" name="xss_input">
<input type="submit">
</form>
<hr>
<?php
/**
 * 触发 js脚本
 * 脚本在url地址上
 * 1.用户在提交框 提交 <script>alert("what'up");</script>
 * 2.直接访问 http://localhost/xss/index.php?xss_input=<script>alert("what'up");</script>
 * 3.直接访问url编码的数据 http://localhost/xss/index.php?xss_input=%3Cscript%3Ealert%28%22what%27up%22%29%3B%3C%2Fscript%3E
 * 解决问题的核心 用户的输入必须做过滤,这样输出后才不会执行 可能含有js的脚本
 */
//xss_input = <script>alert("what'up");</script>
$xss = $_GET['xss_input'] ?? '';
//处理xss攻击
$xss = htmlspecialchars($xss);   //转义标签
//$xss = strip_tags($xss);         //过滤标签名
echo '你输入的字符为:<br>'.$xss;
?>
</body>
</html>